Blog

It seems that never a day goes by without news that hackers have managed to steal the password database from some company or another.

Even when the company finds out – often several months later – simply telling everybody affected to change their password is not enough to stop any further damage from being done.

That's because people often use the same passwords for lots of different sites. Hackers are well aware of this, so once they manage to get hold of a password file they use automated scripts to try the same username and password combinations on a range of other sites.

More often than not they'll find some keys that fit the locks. If that happens to you, hackers can access any of your accounts that use the same login credentials and you'll probably not even notice.

This happened to food delivery service company, Deliveroo. Customers found that food which they'd never ordered was being charged to their accounts. In this case, the crooks behind the scam were simply trying out passwords and usernames that had been stolen from other sites to log into Deliveroo and none of the Deliveroo servers themselves had been hacked.

Fortunately, help is at hand in the form of a company called Shape Security who have launched a new product called Blackfish.

This so-called 'credential defence' service is designed to identify stolen passwords before a security breach is even reported by a company, or even before it has been detected.

It can do this before the stolen password files turn up for sale on the dark web. It works by trying to spot patterns of incorrect login attempts – which indicate that a hacker is automatically trying a list of stolen passwords. If it spots a correct login as part of this automated process, it can be pretty sure that the password has been stolen from another site.

Currently three of the top four biggest banks are using this technology, along with several airlines too. Let's hope that it becomes standard on all websites soon.